169 Quantitative hazard and risk analysis

QUANTITATIVE HAZARD AND RISK ANALYSIS

G. Tarnaia), B. Sghia), I. Krbilov b)

a)
Dept. of Control and Transport Automation, Budapest University of Technology and Economics
b)
Dept. Control and Information Systems, University of ilina
e-mail:tarnai@kaut.kka.bme.hu

Summary In this paper a quantitative method for hazard and risk analysis is discussed. The method was developed and
introduced for the allocation of safety requirements to the functions of a railway signaling remote control system.

1. INTRODUCTION tolerable risk level of different hazardous functions

can be kept at the same level [6].
In case of safety critical railway systems a haz- Of course, other values of THR in the ordering
ard and risk analysis (HRA) must be performed in or any other definition of THR can be adopted; this
order to establish the safety requirements for the will not influence the proposed hazard and risk
system. Based on the analysis, to each safety critical analysis procedure as a whole.
function of the system (those functions, the fault of
which can lead to hazard) the safety integrity re- Tab. 1. Ordering of THR values to damage categories
quirement, concerning random and systematic faults Consequence THR
can be established [1], [2]. (damage) [h-1]
The analysis and the definition of safety re- catastrophic 10-9
quirements can vary upon different risk parameters critical 10-8
used, and so the method can be quantitative, qualita- minor 10-7
tive or semi-quantitative [3], [4]. irrelevant 10-6
In this paper a quantitative method will be in-
troduced, which was developed and applied for the From the THR value the tolerable hazard prob-
risk analysis of a railway signaling remote control ability of the system can be calculated for the end of
system [5]. the projected life time of the equipment T, according
to (1).
2. MAIN STEPS OF THE ANALYSIS ph ( T ) = 1 eTHRT (1)

In the preparation phase of the analysis the fol-
lowing steps must be performed:
- definition of the interfaces of the system;
- enlist all potentially hazardous outputs of the
system (commands and indications);
- definition of possible failure modes for the
outputs (these are object and function mistake
and unintended command output in case of
commands, and faulty indication in case of indi-
cations);
- the possible consequence (severity of damages)
of the hazards must be identified; in this sense
those damage categories were used, that are
suggested by the standard EN 50126 [1].
Risk of a hazard is determined not only by the
severity of the damage that it can cause, but also by
the occurrence frequency or probability of the haz-
ard. The calculated risks have to be classified into
risk classes, and for each risk class the necessary
integrity requirements must be defined. This latter
can be achieved e.g. by ordering tolerable hazard
rates (THR) for each risk class.
According to the proposed method, THR values
are directly ordered to the damage categories, inde-
pendently from the frequency or probability of the
hazard, as the first step (Tab. 1). More serious haz-
ards are so allowed to occur less frequently, thus the
In most of the cases a hazard, caused by a faulty
function of the examined system will not lead di-
rectly to an accident, only if certain events occur
contemporarily or a given situation exists simultane-
ously. The probability of the existence of these traf-
fic or operational situations can be determined statis-
tically, and can be handled as constant probabilities
[6]. In course of the analysis, to all hazards, the
necessary contemporary events and situations must
be identified; furthermore their probability has to be
calculated. Finally, the resulting probability pc has to
be calculated, if more than one contemporary event
is necessary to evolve an accident. In a simple case
the resulting probability can be calculated as a pro-
duction of single probabilities; otherwise, in a more
complicated combination of the contemporary
events fault tree analysis can be used to calculate the
resulting probability. The probability of an accident
at the end of the projected life time of the investi-
gated equipment can be calculated according to (2).
p1( T ) = pc ph ( T ) (2)
Since the reduction factor pc of the contempo-
rary events were taken into account, the tolerable
hazard probability pb(T) can be bigger by the factor
1/pc, than without reduction factors as shown in (3)
(Fig. 1, Fig. 2).
Advances in Electrical and Electronic Engineering 170

ph (T ) / pc ,if ph (T ) / pc < 1
pb (T ) = (3) 3. RESULTS
1 , otherwise
A detailed analysis for all failure modes of all
This latter case means, that the reduction factors potentially hazardous functions have to be per-
alone fulfil the required THR value, thus it is not formed, according to the procedure described above.
needed to prescribe any requirement against the If a hazard of a failure mode of a function can result
examined system (the required safety is fulfilled in more than one consequence, the most rigorous
even if the equipment is always faulty). value have to be considered, which results after
taking all, different reduction factors into account.
Tolerable hazard Based on the results of the analysis, the remote
probability
control equipment have to be constructed so, that
- the hazardous failure rate of functions may not
exceed the defined tolerable failure rate bTHR
of the given function (random faults); and
- the guidelines and requirements of the standards
EN 50128 and EN 50129 shall be fulfilled, with
Probability of Tolerable failure respect to the defined safety integrity level.
contemporary probability of the
events equipment As a summary it can be stated, that the proposed
()
quantitative method requires higher expenditures
than the usual qualitative ones. This is because of
the necessity of the large amount of initial statistical
data. However, the higher expenditures can be
Fig. 1. Calculation of tolerable failure probability
traded off by more precise results, which enables to
put lower safety requirements against some func-
tions of the system, thus the development and the
operation of the system can be less expensive, while
the system does not cause more hazards, than toler-
able.

REFERENCES
[1] CENELEC: Railway Applications- The Specifi-
cation and Demonstration of Reliability, Avail-
ability, Maintainability and Safety (RAMS). EN
Fig. 2. Failure probabilities
50126, 1998.
If pb (T) 1, the tolerable failure rate of the [2] CENELEC: Railway Applications Safety
equipment can be calculated from the tolerable fail- Related Electronic Systems for Signalling. EN
ure probability of the equipment, as shown by (4). 50129, 2003.
[3] Braband, Hirao, Luedeke: The relationship
ln(1 pb (T ))
bTHR = (4) between the CENELEC railway signalling stan-
T dards and other safety standards, SIG-
The value bTHR represents the required integ- NAL+DRAHT, 12/2003
rity against random hardware faults, regarding the [4] Tarnai, G.: Harmonisation Method of Safety
examined function and failure mode. Integrity re- Validation Systems. Komunikacie/ Communica-
quirements against systematic and software faults tions - Scientific Letters of the University of
can be determined by using Safety Integrity Levels Zilina, 4/99. Zilina, 1999. pp. 12-16.
(SIL), based on the bTHR value. [5] Lantos, P., T. Mos: Safety certification proce-
dure according to CENELEC standards.
Tab. 2. Ordering of SIL to bTHR values Vezetkek Vilga, Hungarian Rail Technology
bTHR Safety Integrity Journal, 2005/4. pp. 3-6. (Hungarian)
per function and hour Level (SIL) [6] Tarnai, G., B. Sghi: Hazard and Risk Analysis
10-9 bTHR < 10-8 4 in the Railway Interlocking Domain Vezetkek
10-8 bTHR < 10-7 3 Vilga, Hungarian Rail Technology Journal,
10-7 bTHR < 10-6 2 2006/1 (Hungarian).
10-6 bTHR < 10-5 1
10-5 bTHR 0

The Safety Integrity Level, which can be or-

dered to the bTHR values are shown in Tab. 2. The
table is identical with that of the normative Annex A
of EN 50129 [2].